Developers Struggle with Application Security (and How to Make It Better)

Challenges in implementing application security programs and tools for engineering teams

• Starting a small application security program with a small engineering team and choosing a technology like SCA and DAST
• Helping engineering teams understand and take measured risks in developing and testing code
• Enabling process and tooling that can easily get people started quickly in testing application security
• AppSec tools are built for security teams and can be complicated and difficult to understand for engineering teams
• Using technical jargon and wall of text to describe application security issues can be confusing for engineering teams

The speaker mentioned that many security tools are built with a lot of options and buttons that can be overwhelming for engineering teams. They joked that engineers would probably hit the 'x' button quickly or make fun of the tool before figuring out how to use it. This highlights the importance of engaging engineering teams with user-friendly tools and information.

Abstract:We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone - putting the culture, processes, and tooling into place to make this happen is tough. Join StackHawk CSO Scott Gerlach as he shares his triumphs and failures while building DevSecOps practices and tools at companies such as GoDaddy, SendGrid, and Twilio. Dig into specific reasons why developers struggle with AppSec and what you can do to make it work better. Whether you’re a seasoned DevSecOps pro or just starting out, this will be an entertaining (and judgement-free!) talk you won’t want to miss!